The updated code worked and SEH was overwritten with the address of the POP POP RET instructions.

By passing the exception, by pressing SHIFT + F9, I was redirected to the address of the POP POP RET instructions.

Stepping into the POP POP RET instructions redirected me to the nSEH record, which contained the 4 bytes of B’s.

The next step would be to change this 4 B’s with a jump instruction that would redirect me to my shellcode. However, as seen above, I couldn’t use the buffer of D’s as it’s only 28 bytes long. Even for an egghunter, that wouldn’t be enough since it requires 32 bytes of space. Since the buffer of A’s was located right above the buffer of 4 B’s, I had to jump back. For this, I couldn’t make a “long jump” as the equivalent opcodes was 5 bytes long. That wouldn’t fit inside nSEH with only 4 bytes of space. Instead, I jumped back 50 bytes just like in my previous post. The following shows the code that I used.

As seen here, the negative jump worked. Next step would be to place the egghunter code in this location.

I used !mona egg -t CAPT to generate the egghunter.

Before using the egghunter, I had to determine first the offset (the number of A’s) before the egghunter code. To do that, I made a simple computation: original 3495 bytes of A’s + 2 bytes for the backward jump opcodes - 50 bytes for the length of backward jump = 3447 bytes of A’s. The following shows the updated code.